14

There is a youtube about generating images with features designed to "poison" generative AI trained on those images.

This technique could potentially be used by anyone who was worried about their content being harvested by AI's. On any website distributing such content one could have "honeypot items/scraper trap" that is targeted at distorting the creative content. This could be images on an art website, as shown in the video. This could be discordant sound on a music distribution site, badly written text on an author's website or fake news on a news website. It is at least conceivable that this would make scraping the website for training data counter-productive, and so protect the content.

Would there be any legal issues with doing this? One would be intentionally causing "damage" to a computer system, which means one may consider Computer Misuse Act 1990 in the UK and Computer Fraud and Abuse Act in the US. One could imagine that for a web site accessible globally one should consider all jurisdictions.

User65535
  • 10,342
  • 5
  • 40
  • 88

2 Answers2

19

A necessary element of each offence in the Computer Misuse Act 1990 is "unauthorised access" or an "unauthorised act" with respect to a computer. E.g. section 3:

3 Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc.

(1) A person is guilty of an offence if—

(a) he does any unauthorised act in relation to a computer; ...

It seems to me that I am authorised to access and act on a computer that I own. So in effect it seems you're asking whether "any unauthorised act in relation to a computer" can be interpreted to apply to something I do to my computer that impairs another computer that crawls my computer without my consent or even knowledge.

In the absence of relevant case law - which doesn't seem to exist - we can only speculate as to whether the law might be interpreted so broadly. Computer Misuse Act cases seem to be about access to computers the defendant (A) did not have permission to access at all or (B) did not have permission to access for the specific purpose of the defendant.

I would say that sinkholes and tarpits relate to a computer owner deliberately configuring their computer to impair certain types of unwanted and unauthorised visits by other computers but neither of those seem to be illegal acts in the UK.

Which suggests another point: the owner of the unwanted, unauthorised computer visitor would have to make a complaint to attempt to have me prosecuted or sued for my act with respect to my computer, but if what they attempted is itself unlawful then they would be unlikely to make such a complaint.

Lag
  • 20,104
  • 2
  • 46
  • 76
5

As you already figured out, the UK's Computer Misuse Act 1990 applies. It specifically says (section 36) that "This subsection applies if the person intends by doing the act ... to impair the ... the reliability of any such data; " and goes on to state that "The intention referred to ... need not relate to (a)any particular computer; (b)any particular program or data; or (c)a program or data of any particular kind" so AI data is included.

However, there's another part to this: is it unauthorized ? That would need to be considered in context. After all, the hypothetical here is that the data is modified by the legal owner of the data. If that is the only act, that modification is authorized. But as soon as you lure any AI scraper to that data, the latter act would be a problem because that was not authorized.

MSalters
  • 6,749
  • 16
  • 23